2. OBJECT OF THE DATA PROCESSING AGREEMENT

2.2The contractor will process the personal data carefully and in accordance with the GDPR and other legislation applicable to the processing of personal data.

2.3The contractor will process the obtained personal data only for the contracting authority and will follow all instructions given by the contracting authority in this connection, barring statutory obligations to the contrary.

2.4The contractor will have no control over the purpose of the processing and the means used for that processing. Unless provided otherwise in this data processing agreement, the contractor will not make any decisions on the use of the personal data, disclosure to third parties or the period for which the personal data are stored. The contractor will never obtain control of the personal data disclosed under this data processing agreement.

2.5The contractor will not engage any third parties without the prior approval of the contracting authority. The contracting authority may make the engagement of third parties subject to further conditions. The contractor will in any event ensure that any third party follows contracting authority’s instructions, maintains confidentiality and takes the necessary security measures regarding the personal data processing. All obligations arising from this data processing agreement relevant to the protection and security of personal data will be included in the contract with the third party.

2.6The contractor is not permitted to disclose personal data to any party other than the contracting authority, unless it does so at the written request of the contracting authority or with the written approval of the contracting authority. The contractor is obliged to confirm in writing that disclosure has taken place, specifying precisely which personal data was disclosed, the data subject(s), recipient(s) and time of disclosure.

2.7If the contractor is obliged to disclose data on the basis of a statutory obligation, the contractor will verify the basis for the request and the identity of the requesting party and will inform the contracting authority, if possible prior to the disclosure.

2.8The contractor will cooperate fully with the contracting authority in order to comply with obligations arising from the GDPR within the statutory time limits, in particular concerning the rights of data subjects, including but not limited to requests for access, correction, supplementation, removal or masking of personal data and compliance with any objection raised.

2.9If the contractor discovers any illegal or unauthorised processing or infringements of the security measures, it will inform the contracting authority immediately and take all reasonably necessary measures to prevent or limit any existing or further unauthorised processing or infringement, without prejudice to the contractor’s obligation to compensate any resulting damage incurred by the contracting authority.

2.10 The contractor will inform the contracting authority of any data breach in an appropriate and timely manner. The contractor will subsequently keep the contracting authority informed of any new developments relating to the data breach and of the measures the contractor is taking to limit the consequences of the data breach and to prevent a recurrence. In addition, the contractor will cooperate fully with the contracting authority in fulfilling its duty, under articles 33 en 34 of the GDPR, to report the data breach to the Data Protection Authority and the data subject(s).

2.11 Any costs arising from articles 2.8 to 2.10 will be borne by the party that incurs them.

2.12 The contractor is liable for any administrative fine imposed by the Data Protection Authority and for any damage suffered by the data subject(s) or the contracting authority, in so far as the administrative fine or damage suffered is a result of an attributable failure by the contractor to fulfil its obligations.

3 APPLICABLE TERMS AND CONDITIONS

3.1This data processing agreement is governed by the provisions of the contract except in so far as it deviates from them.

4. CONTINUING OBLIGATIONS

4.1After the expiry of the contract and the data processing agreement, the contractor will continue to be bound by its existing obligations under this agreement, including but not limited to those obligations concerning transfer, the discovery of any unauthorised processing and its duty of confidentiality, as also specified in articles 2.8, 2.9, 2.10 and 7.4.

5. RETURN OF PERSONAL DATA

5.1Once this data processing agreement terminates, the contractor will also cooperate fully with the transfer of the personal data processing activities to the contracting authority or to another contractor and do so in a manner that offers maximum safeguards for the continuity of service provision from the time of the transfer, or in any case ensures that it is not obstructed by acts or omissions of the contractor. The attendant costs incurred by the contractor will be borne by the contracting authority in so far as they are not included in the agreed prices and fees payable to the contractor for the performance of the data processing agreement.

6. SECURITY

6.1The contractor will implement the technical and organisational security. These measures must guarantee, taking account of the latest technology and the costs of implementation and execution of such measures, an appropriate level of security having regard to the risks entailed by the Processing and nature of the Personal data.

6.2The contractor will not process any personal data outside a European Union member state, unless it has obtained express written approval to do so from the contracting authority.

7. CONFIDENTIALITY

7.1The contractor is obliged to maintain the confidentiality of all personal data and information that it processes as a result of this data processing agreement, except in so far as the personal data or information is clearly not of a secret or confidential nature or is already in the public domain.

7.2At the express written request of the contracting authority, the contractor will adopt special measures in relation to the personal data or information specified in the request to ensure the confidentiality of the personal data or information. Those measures may include destroying the personal data or information once the contractor no longer needs to have it at its disposal.

7.3In its contracts with its staff, the contractor will apply the duty of confidentiality described in articles 7.1 and 7.2 to them with respect to all personal data and information that they process in the course of their work for the contractor. The contractor guarantees the contracting authority that those contractual provisions will be complied with by the persons concerned.

7.4This article and the duty of confidentiality referred to herein will remain in force after the expiry of the contract and this data processing agreement.

8. AUDIT

8.1The contracting authority has the right to audit the processing operations executed by the contractor, compliance with the agreed technical and organizational security measures and the compliance with measures to comply with the obligation to report data breaches of the Contractor, or those of third parties engaged by the Contractor.

8.2The contractor will provide all cooperation that is reasonably necessary with respect to the audit and ensure that any third parties it has engaged do the same.

8.3The performance of an audit may not cause a delay to the work to be carried out by the contractor in the context of the contract and this data processing agreement. If such a delay arises, the parties will consult each other in order to resolve the delay as quickly as possible.

8.4The cost of the audit will be borne by the contracting authority, unless the audit shows that the contractor has breached its obligations under this data processing agreement and/or the contract.

8.5The contractor will implement recommendations for improvement made by the contracting authority within the period indicated by the contracting authority.

9. FINAL PROVISIONS

9.1Any derogations from this data processing agreement are binding only if they have been expressly agreed by the parties in writing.

9.2Any general terms of delivery or other general or specific terms and conditions drawn up by the contractor do not apply to this data processing agreement and are expressly rejected by Contracting authority.